DATA PROTECTION ACT 2018 AND UK GENERAL DATA 
PROTECTION REGULATION 


REPRIMAND 
TO: The Chief Constable Dorset Police 


OF: Police Headquarters 
Winfrith Newburgh 
Dorchester 
Dorset 
DT2 8DZ 


1.1 The Information Commissioner (the Commissioner) issues a 
reprimand to the Chief Constable Dorset Police (Dorset Police) in 
accordance with Article 58(2)(b) of the UK General Data Protection 
Regulation (UK GDPR) and Schedule 13(2)(c) of the Data Protection Act 
2018 (DPA 2018) in respect of certain infringements of the UK GDPR and 
DPA 2018. 


The reprimand 


1.2 The Commissioner has decided to issue a reprimand to Dorset Police 
in respect of the following infringements of the UK GDPR: 


e Article 12(3) of the UK GDPR 
This states: 


‘The controller shall provide information on action taken ona 
request under Articles 15 to 22 to the data subject without undue 
delay and in any event within one month of receipt of the request. 
That period may be extended by two further months where 
necessary, taking into account the complexity and number of the 
requests.’ 


e Part 3, Chapter 3, Section 54 of the DPA 2018 
This states: 


‘(1) This section defines “the applicable time period” for the 
purposes of sections 45(3)(b) and 48(2)(b). 


(2) “The applicable time period” means the period of 1 month, or 
such longer period as may be specified in regulations, beginning 
with the relevant time. 


(5) Regulations under subsection (2) may not specify a period which 
is longer than 3 months.’ 


1.3 The reasons for the Commissioner’s findings are set out below. 


Dorset Police are the police force responsible for policing the county of 
Dorset in South West England. Dorset Police formed an alliance with 
Devon and Cornwall Police in April 2017 known as the Devon and 
Cornwall Police & Dorset Police Alliance (the Alliance). The two police 
forces formed the Alliance to enable them to work together to improve 
delivery, resilience and flexibility, as well as save money and increase 
efficiency in over 30 administrative and operational business areas, 
including data protection. 


Article 12(3) of the UK GDPR and Part 3, Chapter 3, Section 54 of 
the DPA 2018 


From the information provided by the Alliance during the course of the 
investigation, it was found that Dorset Police have continuously infringed 
Article 12(3) of the UK GDPR and Part 3, Chapter 3, Section 54 of the DPA 
2018 for over four years. In this case, Dorset Police have had a subject 
access request backlog since 2018. 


The subject access request statistics provided by the Alliance show that in 
September 2022, Dorset Police had 243 overdue subject access requests. 
Of these 243 overdue subject access requests, 33% (81) of the subject 

access requests were older than seven months, and 24% (52) were older 
than a year. More recent statistics show that as of November 2023 Dorset 


Police had 140 subject access requests awaiting a response. Of these 140 
subject access requests, 85% (120) of the subject access requests were 
older than one calendar month, and 9% (13) were older than four 
months. This evidences Dorset Police’s failure to respond to subject 
access requests in accordance with Article 12(3) of the UK GDPR and Part 
3, Chapter 3, Section 54 of the DPA 2018. 


Mitigating factors 


1.4 It has been noted that during the course of 2023 Dorset Police have 
been increasing their staffing levels. It is acknowledged that it does take 
time and resources to fully train up new data protection staff before 
significant impacts can be made on Dorset Police’s subject access request 
backlog. Whilst outstanding overdue requests remained, it can however 
be seen that the increased staffing levels introduced in April 2023, is 
assisting Dorset Police’s subject access request compliance. This is 
evidenced by the November 2023 subject access request statistics 
showing a reduction in the age of subject access requests awaiting 
completion. 


On 24 February 2023 The Alliance to which Dorset Police belong to 
provided a comprehensive action plan detailing how they aim to bring 
Dorset Police’s subject access request compliance back in line with Article 
12(3) of the UK GDPR. This action plan included details regarding 
recruiting and time scales. Further updated action plans were provided 
during the course of the investigation. 


Remedial steps taken by Dorset Police 


1.5 The Commissioner has also considered and welcomes the remedial 
steps taken by Dorset Police in light of this matter. In particular: 


e Increased staffing levels — As of 3 July 2023 the Alliance to 
which Dorset Police belong to have increased the pool of staff 
available to both forces by eight full time data protection advisors 
working 37 hours per week and two Advisors working 30 hours per 
week. 


e Implemented overtime - Along with increasing staffing levels the 
Alliance to which Dorset Police belong to have also been able to 


secure funding on a month by month basis to implement overtime 
for data protection staff. 


Decision to issue a reprimand 


1.6 Taking into account all the circumstances of this case, including the 
mitigating factors and remedial steps, the Commissioner has decided to 
issue a reprimand to Dorset Police in relation to the infringements of 
Article 12(3) of the UK GDPR and Part 3, Chapter 3, Section 54 of the DPA 
2018 set out above. 


1.7 Dorset Police were invited to provide representations. Dorset Police 
did not wish to make any representations. 


Further Action Recommended 


1.8 The Commissioner recommends that Dorset Police should take certain 
steps to ensure its compliance with the UK GDPR and the DPA 2018: 


1. In order to ensure compliance with Article 12(3) of the UK GDPR 
and Part 3, Chapter 3, Section 54 of the DPA 2018 Dorset Police 
should continue to ensure that it has adequate staff resources in 
place to process and respond to subject access requests; 


2. Dorset Police should ensure they continue to take the steps outlined 
in their action plan to ensure that subject access requests are 
responded to within statutory deadlines in line with Article 12(3) of 
the UK GDPR and Part 3, Chapter 3, Section 54 of the DPA 2018. 


